• Stars
    star
    1,589
  • Rank 29,323 (Top 0.6 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created over 8 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

OpenID Certified™ Relying Party (OpenID Connect/OAuth 2.0 Client) implementation for Node.js.

openid-client

openid-client is a server side OpenID Relying Party (RP, Client) implementation for Node.js runtime, supports passport.

Implemented specs & features

The following client/RP features from OpenID Connect/OAuth2.0 specifications are implemented by openid-client.

Updates to draft specifications are released as MINOR library versions, if you utilize these specification implementations consider using the tilde ~ operator in your package.json since breaking changes may be introduced as part of these version updates.

Certification

OpenID Certification
Filip Skokan has certified that openid-client conforms to the following profiles of the OpenID Connect™ protocol

  • Basic, Implicit, Hybrid, Config, Dynamic, and Form Post RP
  • FAPI 1.0 Advanced RP

Sponsor

auth0-logo If you want to quickly add OpenID Connect authentication to Node.js apps, feel free to check out Auth0's Node.js SDK and free plan. Create an Auth0 account; it's free!

Support

If you or your business use openid-client, please consider becoming a sponsor so I can continue maintaining it and adding new features carefree.

Documentation

The library exposes what are essentially steps necessary to be done by a relying party consuming OpenID Connect Authorization Server responses or wrappers around requests to its endpoints. Aside from a generic OpenID Connect passport strategy it does not expose any framework specific middlewares. Those can however be built using the exposed API, one such example is express-openid-connect

Install

Node.js LTS releases Codename Erbium and newer LTS releases are supported.

npm install openid-client

Note: Other javascript runtimes are not supported. I recommend panva/oauth4webapi, or a derivate thereof, if you're looking for a similarly compliant and certified client software that's not dependent on the Node.js runtime builtins.

Quick start

Discover an Issuer configuration using its published .well-known endpoints

import { Issuer } from 'openid-client';

const googleIssuer = await Issuer.discover('https://accounts.google.com');
console.log('Discovered issuer %s %O', googleIssuer.issuer, googleIssuer.metadata);

Authorization Code Flow

Authorization Code flow is for obtaining Access Tokens (and optionally Refresh Tokens) to use with third party APIs securely as well as Refresh Tokens. In this quick start your application also uses PKCE instead of state parameter for CSRF protection.

Create a Client instance for that issuer's authorization server intended for Authorization Code flow.

See the documentation for full API details.

const client = new googleIssuer.Client({
  client_id: 'zELcpfANLqY7Oqas',
  client_secret: 'TQV5U29k1gHibH5bx1layBo0OSAvAbRT3UYW3EWrSYBB5swxjVfWUa1BS8lqzxG/0v9wruMcrGadany3',
  redirect_uris: ['http://localhost:3000/cb'],
  response_types: ['code'],
  // id_token_signed_response_alg (default "RS256")
  // token_endpoint_auth_method (default "client_secret_basic")
}); // => Client

When you want to have your end-users authorize you need to send them to the issuer's authorization_endpoint. Consult the web framework of your choice on how to redirect but here's how to get the authorization endpoint's URL with parameters already encoded in the query to redirect to.

import { generators } from 'openid-client';
const code_verifier = generators.codeVerifier();
// store the code_verifier in your framework's session mechanism, if it is a cookie based solution
// it should be httpOnly (not readable by javascript) and encrypted.

const code_challenge = generators.codeChallenge(code_verifier);

client.authorizationUrl({
  scope: 'openid email profile',
  resource: 'https://my.api.example.com/resource/32178',
  code_challenge,
  code_challenge_method: 'S256',
});

When end-users are redirected back to your redirect_uri your application consumes the callback and passes in the code_verifier to include it in the authorization code grant token exchange.

const params = client.callbackParams(req);
const tokenSet = await client.callback('https://client.example.com/callback', params, { code_verifier });
console.log('received and validated tokens %j', tokenSet);
console.log('validated ID Token claims %j', tokenSet.claims());

You can then call the userinfo_endpoint.

const userinfo = await client.userinfo(access_token);
console.log('userinfo %j', userinfo);

And later refresh the tokenSet if it had a refresh_token.

const tokenSet = await client.refresh(refresh_token);
console.log('refreshed and validated tokens %j', tokenSet);
console.log('refreshed ID Token claims %j', tokenSet.claims());

Implicit ID Token Flow

Implicit response_type=id_token flow is perfect for simply authenticating your end-users, assuming the only job you want done is authenticating the user and then relying on your own session mechanism with no need for accessing any third party APIs with an Access Token from the Authorization Server.

Create a Client instance for that issuer's authorization server intended for ID Token implicit flow.

See the documentation for full API details.

const client = new googleIssuer.Client({
  client_id: 'zELcpfANLqY7Oqas',
  redirect_uris: ['http://localhost:3000/cb'],
  response_types: ['id_token'],
  // id_token_signed_response_alg (default "RS256")
}); // => Client

When you want to have your end-users authorize you need to send them to the issuer's authorization_endpoint. Consult the web framework of your choice on how to redirect but here's how to get the authorization endpoint's URL with parameters already encoded in the query to redirect to.

import { generators } from 'openid-client';
const nonce = generators.nonce();
// store the nonce in your framework's session mechanism, if it is a cookie based solution
// it should be httpOnly (not readable by javascript) and encrypted.

client.authorizationUrl({
  scope: 'openid email profile',
  response_mode: 'form_post',
  nonce,
});

When end-users hit back your redirect_uri with a POST (authorization request included form_post response mode) your application consumes the callback and passes the nonce in to include it in the ID Token verification steps.

// assumes req.body is populated from your web framework's body parser
const params = client.callbackParams(req);
const tokenSet = await client.callback('https://client.example.com/callback', params, { nonce });
console.log('received and validated tokens %j', tokenSet);
console.log('validated ID Token claims %j', tokenSet.claims());

Device Authorization Grant (Device Flow)

RFC8628 - OAuth 2.0 Device Authorization Grant (Device Flow) is started by starting a Device Authorization Request.

const handle = await client.deviceAuthorization();
console.log('User Code: ', handle.user_code);
console.log('Verification URI: ', handle.verification_uri);
console.log('Verification URI (complete): ', handle.verification_uri_complete);

The handle represents a Device Authorization Response with the verification_uri, user_code and other defined response properties.

You will display the instructions to the end-user and have him directed at verification_uri or verification_uri_complete, afterwards you can start polling for the Device Access Token Response.

const tokenSet = await handle.poll();
console.log('received tokens %j', tokenSet);

This will poll in the defined interval and only resolve with a TokenSet once one is received. This will handle the defined authorization_pending and slow_down "soft" errors and continue polling but upon any other error it will reject. With tokenSet received you can throw away the handle.

Client Credentials Grant Flow

Client Credentials flow is for obtaining Access Tokens to use with third party APIs on behalf of your application, rather than an end-user which was the case in previous examples.

See the documentation for full API details.

const client = new issuer.Client({
  client_id: 'zELcpfANLqY7Oqas',
  client_secret: 'TQV5U29k1gHibH5bx1layBo0OSAvAbRT3UYW3EWrSYBB5swxjVfWUa1BS8lqzxG/0v9wruMcrGadany3',
});

const tokenSet = await client.grant({
  resource: 'urn:example:third-party-api',
  grant_type: 'client_credentials'
});

FAQ

Semver?

Yes. Everything that's either exported in the TypeScript definitions file or documented is subject to Semantic Versioning 2.0.0. The rest is to be considered private API and is subject to change between any versions.

How do I use it outside of Node.js

It is only built for Node.js. Other javascript runtimes are not supported. I recommend panva/oauth4webapi, or a derivate thereof, if you're looking for a similarly compliant and certified client software that's not dependent on the Node.js runtime builtins.

How to make the client send client_id and client_secret in the body?

See Client Authentication Methods (docs).

Can I adjust the HTTP timeout?

See Customizing (docs).

More Repositories

1

jose

"JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes.
TypeScript
3,506
star
2

node-oidc-provider

OpenID Certified™ OAuth 2.0 Authorization Server implementation for Node.js
JavaScript
2,852
star
3

paseto

PASETO (Platform-Agnostic SEcurity TOkens) for Node.js with no dependencies
JavaScript
304
star
4

oauth4webapi

OAuth 2 / OpenID Connect for JavaScript Runtimes
TypeScript
273
star
5

node-oidc-provider-example

A step-by-step approach to getting an OpenID Connect Provider instance up and running using oidc-provider
JavaScript
130
star
6

dpop

DPoP for Web Platform API JavaScript runtimes
TypeScript
24
star
7

oidc-token-hash

Create and validate hashes pushed by OpenID Connect providers to ID Tokens.
JavaScript
19
star
8

hkdf

HKDF with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno.
JavaScript
19
star
9

jwterminal

a quick script pulled together to get jwt.io-like JWT debugging in your terminal
JavaScript
7
star
10

personalausweis

German ID Card Validation in node.js
JavaScript
7
star
11

openid-client-cli

CLI for managing dynamic OpenID Connect client registrations.
JavaScript
5
star
12

oidc-provider-conformance-tests

OpenID Connect Provider conformance test suite for oidc-provider library
JavaScript
5
star
13

it-should-just-work

TypeScript
1
star
14

jose-x25519-ecdh

!DEPRECATED! ECDH-ES implementation for X25519 keys extension for the jose module.
JavaScript
1
star
15

fetch-node-release

Fetch latest Node.js release version by keyword such as "stable", "lts/carbon" or "lts/*".
JavaScript
1
star
16

panva

1
star
17

openid-client-conformance-tests

OpenID Connect Relying Party conformance test suite for openid-client library
JavaScript
1
star
18

jose-chacha

!DEPRECATED! ChaCha derived AEAD algorithms extension for the `jose` (v2.x) Node.js package
JavaScript
1
star